samba - May 2007 - Problem with Samba-3.0.25rc3 & idmap_ldap (winbind dumps core)

In an effort to improve my lot, I'm trying to move to a ldap backend 
for idmap synchronization when I deploy the new 3.0.25 version on my 
systems.   In preparation for this, I've set up some test systems -- 
where I'm having some problems that I think others may be 
encountering  (according to a few comments I've seen recently).

In a nutshell, I believe I have set up my ldap services correctly -- 
largely following the ldap portion of the guide 
at: 
http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP

At least according to phpldapadmin, I have a functioning master ldap 
service on one RHEL4 system and a replicating slave service 
established on a second RHEL4 system.  I then install the 
samba-3.0.25rc3-5 packages, and  alter my standard configuration 
according to the samba portion of the guide, taking into account the 
apparent changes needed due to the man pages for smb.conf & 
idmap_ldap.    (Relevant configs attached below...)

One step that I'm having a bit of a problem with, and I think it is 
contributing to the remainder of the problem below, is the entry of 
the credentials for the access to the ldap services.   Several guides 
state that the proper method to store the credentials for your ldap 
access dn is to use smbpasswd:

     smbpasswd -w {password}

However, this command complains:
     ERROR: 'ldap admin dn' not defined! Please check your smb.conf

Only when you put the following line in smb.conf does smbpasswd allow 
you to store the password in secrets.tdb.

At this point, I think that everything is ready.  After firing up the 
upgraded smb & winbind services, I run through my function checklist:

wbinfo -tm     OK
wbinfo -D ACES        OK
wbinfo -D EXTENSION     OK
wbinfo -u       OK

All this is looking good, but I don't see any activity on either ldap 
service.   I don't really expect much, however, until I get to user 
enumeration -- the 'getent passwd' stage.

When I issue my first 'getent passwd {user}' command, winbindd dumps 
core with the following log excerpt from log.winbindd-idmap:

------------------------------------------
[2007/04/30 12:44:04, 1] nsswitch/idmap.c:idmap_init(343)
   Initializing idmap domains
[2007/04/30 12:44:04, 0] nsswitch/idmap_ldap.c:get_credentials(86)
   get_credentials: Unable to fetch auth credentials for 
cn=sambaadmin,dc=aces-web in ACES
[2007/04/30 12:44:04, 1] nsswitch/idmap_ldap.c:idmap_ldap_db_init(805)
   idmap_ldap_db_init: Failed to get connection credentials 
(NT_STATUS_ACCESS_DENIED)
[2007/04/30 12:44:04, 0] nsswitch/idmap.c:idmap_init(438)
   ERROR: Initialization failed for backend ldap (domain ACES), deferred!
[2007/04/30 12:44:04, 0] lib/fault.c:fault_report(41)
   ==============================================================[2007/04/30
12:44:04, 0] lib/fault.c:fault_report(42)
   INTERNAL ERROR: Signal 11 in pid 29969 (3.0.25rc3)
   Please read the Trouble-Shooting section of the Samba3-HOWTO
[2007/04/30 12:44:04, 0] lib/fault.c:fault_report(44)

   From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2007/04/30 12:44:04, 0] lib/fault.c:fault_report(45)
   ==============================================================[2007/04/30
12:44:04, 0] lib/util.c:smb_panic(1620)
   PANIC (pid 29969): internal error
[2007/04/30 12:44:04, 0] lib/util.c:log_stack_trace(1724)
   BACKTRACE: 20 stack frames:
    #0 winbindd(log_stack_trace+0x2d) [0x23cc82]
    #1 winbindd(smb_panic+0x56) [0x23cd89]
    #2 winbindd [0x2294e5]
    #3 /lib/tls/libc.so.6 [0x414898]
    #4 winbindd [0x35ca8c]
    #5 winbindd(idmap_init+0xecc) [0x357078]
    #6 winbindd(idmap_sids_to_unixids+0x29) [0x358a78]
    #7 winbindd(idmap_sid_to_uid+0x68) [0x35bda6]
    #8 winbindd(winbindd_dual_sid2uid+0x12b) [0x1dde2b]
    #9 winbindd [0x1dc15d]
    #10 winbindd [0x1dceb9]
    #11 winbindd(winbindd_sid2uid_async+0x7d) [0x1ddcf6]
    #12 winbindd [0x1b1de5]
    #13 winbindd [0x1e0f3f]
    #14 winbindd [0x1dce07]
    #15 winbindd [0x1dc852]
    #16 winbindd [0x1af89c]
    #17 winbindd(main+0x779) [0x1b0d24]
    #18 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0x401de3]
    #19 winbindd [0x1af351]
[2007/04/30 12:44:04, 0] lib/fault.c:dump_core(181)
   dumping core in /var/log/samba/cores/winbindd
------------------------------------------



What I note in idmap_ldap.c is that the get_credentials function 
appears to be calling idmap_fetch_secret with some combination of the 
DOMAIN and 'ldap_user_dn'.   However, smbpasswd appears to be fixated 
on the presence of the 'ldap admin dn' directive, leading me to 
believe that smbpasswd may be storing under a different key than the 
retrieval function is looking for...   I traced the smbpasswd code 
back to param/loadparm.c, and everything keys to 'ldap_admin_dn', 
with no association with any domain value.

Then I traced the secret retrieval process back to passdb/secrets.c, 
where I then traced the secrets_store_generic function back out to 
the 'net idmap secret' command.   For others reference, to set the 
ldap_user_dn password for each defined domain, and for the idmap 
alloc config side, you use the following commands:

net idmap secret <DOMAIN> <secret>
net idmap secret alloc <secret>


(Note:  A little pointer dropped in the man page for idmap_ldap would 
have been quite helpful here...)


Both of these were successful for me, so I went directly to 
restarting winbindd and retesting.   Sure enough, we have another 
core dump as I issue the first getent passwd {user} command.

The log excerpt from log.winbindd-idmap follows:
------------------------------------------------
[2007/05/01 02:02:47, 1] nsswitch/idmap.c:idmap_init(343)
   Initializing idmap domains
[2007/05/01 02:02:47, 0] lib/fault.c:fault_report(41)
   ==============================================================[2007/05/01
02:02:47, 0] lib/fault.c:fault_report(42)
   INTERNAL ERROR: Signal 11 in pid 10031 (3.0.25rc3)
   Please read the Trouble-Shooting section of the Samba3-HOWTO
[2007/05/01 02:02:47, 0] lib/fault.c:fault_report(44)

   From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2007/05/01 02:02:47, 0] lib/fault.c:fault_report(45)
   ==============================================================[2007/05/01
02:02:47, 0] lib/util.c:smb_panic(1620)
   PANIC (pid 10031): internal error
[2007/05/01 02:02:47, 0] lib/util.c:log_stack_trace(1724)
   BACKTRACE: 20 stack frames:
    #0 winbindd(log_stack_trace+0x2d) [0xc9dc82]
    #1 winbindd(smb_panic+0x56) [0xc9dd89]
    #2 winbindd [0xc8a4e5]
    #3 /lib/tls/libc.so.6 [0x99f898]
    #4 winbindd [0xdbda8c]
    #5 winbindd(idmap_init+0xecc) [0xdb8078]
    #6 winbindd(idmap_sids_to_unixids+0x29) [0xdb9a78]
    #7 winbindd(idmap_sid_to_uid+0x68) [0xdbcda6]
    #8 winbindd(winbindd_dual_sid2uid+0x12b) [0xc3ee2b]
    #9 winbindd [0xc3d15d]
    #10 winbindd [0xc3deb9]
    #11 winbindd(winbindd_sid2uid_async+0x7d) [0xc3ecf6]
    #12 winbindd [0xc12de5]
    #13 winbindd [0xc41f3f]
    #14 winbindd [0xc3de07]
    #15 winbindd [0xc3d852]
    #16 winbindd [0xc1089c]
    #17 winbindd(main+0x779) [0xc11d24]
    #18 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0x98cde3]
    #19 winbindd [0xc10351]
[2007/05/01 02:02:47, 0] lib/fault.c:dump_core(181)
   dumping core in /var/log/samba/cores/winbindd
------------------------------------------------


I'm having trouble tracing this beyond the idmap_init function in 
nsswitch/idmap.c.


If this points to a problem in samba, I hope this helps.   On the 
other hand, if this is a problem in my setup, any pointers in the 
direction of fixing it would be greatly appreciated.

-D


Config details:

smb.conf:      (output from testparm)
-----------------------------------
[global]
         workgroup = ACES
         realm = COLLEGE.ACESNET.UIUC.EDU
         netbios name = ACES-BETA-MAINT
         server string = %L (Samba v%v)
         security = ADS
         obey pam restrictions = Yes
         password server = college.acesnet.uiuc.edu
         username map = /etc/samba/smbusers
         client NTLMv2 auth = Yes
         client lanman auth = No
         client plaintext auth = No
         log file = /var/log/samba/%m.log
         max log size = 0
         name resolve order = host lmhosts wins bcast
         deadtime = 15
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         local master = No
         dns proxy = No
         wins server = 128.174.5.30, 128.174.5.31
# the following line was added to satisfy smbpasswd...
         ldap admin dn = cn=sambaadmin,dc=aces-web
         idmap domains = ALLDOMAINS
         idmap alloc backend = ldap
         idmap uid = 10000-100000000
         idmap gid = 10000-100000000
         template shell = /bin/bash
         winbind cache time = 10
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         idmap alloc config:range = 10000-100000000
         idmap alloc config:ldap_url = ldap://ldap-master.aces-web:389/
         idmap alloc config:ldap_user_dn = cn=sambaadmin,dc=aces-web
         idmap alloc config:ldap_base_dn = ou=idmap,dc=aces-web
         idmap config ALLDOMAINS:range = 10000-100000000
         idmap config ALLDOMAINS:ldap_url = ldap://localhost:389/
         idmap config ALLDOMAINS:ldap_user_dn = cn=sambaadmin,dc=aces-web
         idmap config ALLDOMAINS:ldap_base_dn = ou=idmap,dc=aces-web
         idmap config ALLDOMAINS:backend = ldap
         idmap config ALLDOMAINS:default = yes
         create mask = 0664
         directory mask = 02775
         inherit permissions = Yes
         inherit acls = Yes

         case sensitive = No
-----------------------------------




Don Meyer                                           <dlmeyer@uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759

On Tue, May 01, 2007 at 02:49:10AM -0500, Don Meyer wrote:
[...]
> Then I traced the secret retrieval process back to passdb/secrets.c, 
> where I then traced the secrets_store_generic function back out to 
> the 'net idmap secret' command.   For others reference, to set the 
> ldap_user_dn password for each defined domain, and for the idmap 
> alloc config side, you use the following commands:
> 
> net idmap secret <DOMAIN> <secret>
> net idmap secret alloc <secret>
> 
> 
> (Note:  A little pointer dropped in the man page for idmap_ldap would 
> have been quite helpful here...)
There is a note in the man pages that say:

	NOTE

	In order to use authentication against ldap servers you may need to
	provide a DN and a password. To avoid exposing the password in plain
	text in the configuration file we store it into a security store. The
	"net idmap " command is used to store a secret for the DN specified
in a
	specific idmap domain. 

From:
http://www.samba.org/samba/docs/man/manpages-3/idmap_ldap.8.html


[..]
> I'm having trouble tracing this beyond the idmap_init function in 
> nsswitch/idmap.c.
> 
> 
> If this points to a problem in samba, I hope this helps.   On the 
> other hand, if this is a problem in my setup, any pointers in the 
> direction of fixing it would be greatly appreciated.
A core dump is definitively an issue, I will try to reproduce and fix it
today on my train trip or at worst tomorrow.


Simo.

--
Simo Sorce       idra@samba.org
-------------------------------
Samba Team http://www.samba.org